Visa Clarifies Card Security Rules for Merchants

Merchants need not retain cards' full, 16-digit account numbers to resolve disputes, even though some acquirers and processors say otherwise, according to Visa Inc.

In a clarification to its rules announced Wednesday, Visa said merchants may use other identifying details to handle disputes, such as time stamps and transaction amounts, in conjunction with truncated or masked card numbers. Merchants always have had the option of using a substitute for the actual card number, it said.

Visa issued the clarification after the National Retail Federation, a Washington trade group for merchants, notified the San Francisco payments company that some of its members were experiencing confusion. Merchants should have a choice of using different types of data instead of a complete card number, Visa said; only truncated card numbers are printed on customers' receipts.

According to the NRF, some acquirers and processors have demanded merchants retain complete card numbers so they could more easily find the transaction should a dispute arise. Such policies contradict the payments industry's efforts to prevent merchants from retaining sensitive card data after transactions are completed.

Issuers also must accept a disguised or truncated card number on transaction receipts, Visa said.

"Visa agrees with what we've been saying, that merchants shouldn't be required to store card numbers," said David Hogan, the NRF's chief information officer and a senior vice president. "This clarification from Visa is a promising step in that direction."

Merchants do not want to hold onto card numbers, Hogan said. "The challenge has been, in the past we feel as if we were forced to secure some information that we don't want to have in our four walls."

Visa also on Wednesday issued a set of best practices for tokenization, including token generation, how to map the token to the original transaction, defining the repository for holding the cardholder data and how cryptographic keys should be managed and used. Tokenization is a common security format in which actual card numbers are replaced with proxies that are of no value to thieves if they are intercepted.